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DETAILED ACTION 

This action is in response to the papers filed 9/10/2007. Claims 1, and 15-19, 
Currently claims 1-19 are under consideration. 

Response to Arguments 

Applicant's arguments have been fully considered but they are moot in view of 
new grounds of rejection necessitated by amendment. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-5, and 15-18 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Hoefelmeyer et al (U.S. Patent 7,043,757) in view of Kilpatrick et al 
(U.S. 6,735,703). Hoefelmeyer teaches with respect to claims 1, 15, and 16, a method 
for preventing attacks in a monitored data processing system comprising the steps of: 
upon detection of an intrusion, identifying a malicious code string related to the detected 
intrusion (see column 6 lines 25-35 i.e. viruses are detected by the detection manager 
system); extracting the malicious code string (see column 6 lines 25-35); and forwarding 
the malicious code string to an intrusion limitation subsystem to reduce further 
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intrusions based on the malicious code string (see column 6 lines 25-43 i.e. upon 
detection of a new virus the detection manager system transmits the new signature to 
the remote site scanning system). Hoefelmeyer does not teach detecting an intrusion 
into the data processing system by monitoring system calls. Kilpatrick teaches detecting 
an intrusion into the data processing system by monitoring system calls (see Kilpatrick 
column 2 lines 1 1-22). It would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains to have 
also monitoring system calls to determine whether the system calls of a monitored 
process conform to the profiles of expected behavior (see Kilpatrick column 2 lines 11- 
22). Therefore one would have been motivated to have monitoring system calls. 

With respect to claim 2, wherein the intrusion limitation subsystem comprises a 
pattern filter in the monitored system, and wherein said pattern filter compares incoming 
strings to the malicious code string for reducing further intrusions based on the 
malicious code string (see column 5 lines 15-64). 

With respect to claim 3, wherein the intrusion limitation subsystem comprises a 
response server and wherein said response server (see column 6 lines 25-35 i.e. 
detection manager system) distributes the malicious code string to one or more 
connected systems (see column 6 lines 25-35 i.e. detection manager system transmits 
the new signatures to the remote site scanning system) to reduce further intrusions into 
such connected systems based on the malicious code string (see column 6 lines 25-35). 

With respect to claim 4, wherein the one or more connected systems comprise 
one or more connected monitored systems (see figure 2). 
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With respect to claim 5, wherein the one or more connected systems comprise 
one or more connected monitoring systems (see figure 2). 

With respect to claim 17, further comprising a sensor (see figure 1 element 122 
124 126 140) for monitoring system calls sent to an operating system to detect code 
based intrusions (see column 6 lines 25-35 i.e. viruses are detected by the detection 
manager system). 

With respect to claim 18, wherein the intrusion limitation subsystem comprises: a 
pattern filter connected to the code extractor for receiving extracted malicious code 
strings and for identifying patterns within a processed data stream that match the 
extracted code strings to prevent further intrusions based on the malicious code strings 
(see column 5 lines 15-64 and column 6 lines 25-35). 

Claims 1, 6-8, and 15-18 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Van Der Made (U.S. Patent 7,093,239) in view of Kilpatrick et al 
(U.S. 6,735,703). Van Der Made teaches with respect to claims 1,15, and 16, a method 
for preventing attacks in a monitored data processing system comprising the steps of: 
upon detection of an intrusion, identifying a malicious code string related to the detected 
intrusion (see abstract); extracting the malicious code string (see abstract); and 
forwarding the malicious code string to an intrusion limitation subsystem to reduce 
further intrusions based on the malicious code string (see abstract i.e. store patterns 
and sequences with there corresponding analysis results). Van Der Made does not 
teach detecting an intrusion into the data processing system by monitoring system calls. 
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Kilpatrick teaches detecting an intrusion into the data processing system by monitoring 
system calls (see Kilpatrick column 2 lines 1 1-22). It would have been obvious at the 
time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains to have monitoring system calls to determine whether the 
system calls of a monitored process conform to the profiles of expected behavior (see 
Kilpatrick column 2 lines 1 1-22). Therefore one would have been motivated to have 
monitoring system calls. 

With respect to claim 6, further comprising the steps of: monitoring system calls 
from a daemon executed in a memory of the monitored data processing system (see 
column 2 lines 50 - column 3 line 15); and matching the system calls with one or more 
of established patterns and rules contained in a pattern matcher and representing a 
model of normal behavior (see absract). 

'With respect to claim 7, wherein the matching of the system calls comprises 
establishing a non-deterministic automaton based on an analysis of executable code of 
the daemon (see column 2 lines 50 - column 3 line 15). 

With respect to claim 8, further comprising the step of intercepting the system call 
via a subprogram of the sensor for observing the interaction of the daemon and the 
operating system (see column 2 lines 50 - column 3 line 15). 

With respect to claim 17, further comprising a sensor for monitoring system calls 
sent to an operating system to detect code based intrusions (see abstract). 

With respect to claim 18, wherein the intrusion limitation subsystem comprises: a 
pattern filter (see abstract) connected to the code extractor for receiving extracted 
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malicious code strings and for identifying patterns within a processed data stream that 
match the extracted code strings to prevent further intrusions based on the malicious 
code strings (see abstract). 

Claims 9-1 1 are rejected under 35 U.S.C. 103(a) as being unpatentable over Van 
Der Made (U.S. Patent 7,093,239) in view of Kilpatrick et al (U.S. 6,735,703) in view of 
Kolichtchak (U.S. 2003/0014667). Der Made and Kilpatrick teaches everything with 
respect to claim 8 above but with respect to claim 9 does not teach the steps of 
inspecting a stack upon detection of an intrusion to retrieve an address leading to the 
malicious code string. Kolichtchak teaches the steps of inspecting a stack upon 
detection of an intrusion to retrieve an address leading to the malicious code string (see 
Kolichtchak paragraph 0032). It would have been obvious at the time the invention was 
made to a person having ordinary skill in the art to which said subject matter pertains to 
have inspected the stack upon detection of an intrusion to retrieve an address leading to 
the malicious code string to stop the spread of the malicious code and the effects of 
buufer overflow attacks (see Kolichtchak paragraph 0001-0004). Therefore one would 
have been motivated to have inspected the stack upon detection of an intrusion to 
retrieve an address leading to the malicious code string. 

With respect to claim 10, on detection of an intrusion: locating, as a first element 
on the stack, a return address of a system call entry code from which the subprogram 
departed (see Kolichtchak paragraph 0032); and retrieving a return address of the 
malicious code string pointing to a memory location in the range in which the daemon is 
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executed from a second element on the stack positioned at or near the location of the 
return address of the system call entry code to facilitate finding and extracting of the 
malicious code string (see Kolichtchak paragraph 0032). 

With respect to claim 11, scanning the memory range owned by the executed 
daemon starting from the return address in opposite directions until on one side a first 
region with a plurality of similar addresses and on the other side a second region with a 
plurality of similar instructions that do not alter the sequential control flow is identified 
(see Kolichtchak paragraph 0032); and extracting the malicious code string from 
between the first and second regions (see Kolichtchak paragraph 0032). 

Claim 12 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Hoefelmeyer et al (U.S. Patent 7,043,757) in view of Kilpatrick et al (U.S. 6,735,703) in 
view of Kephart et al (U.S. Patent # 6,016,546). Hoefelmeyer and Kilpatrick teaches 
everything with respect to claim 3 above, but with respect to claim 12 Hoefelmeyer 
teach storing each malicious code string extracted in a database of the response server 
(see Hoefelmeyer column 6 lines 25-43). Hoefelmeyer does not teach correlating the 
stored malicious code strings to find sets of malicious code; and for each set, 
generating a signature that allows the individual identification of all malicious code 
strings contained in the corresponding set. Kephart teaches correlating the stored 
malicious code strings to find sets of malicious code strings (see Kephart column 6 line 
49 - column 7 line 28); and for each set, generating a signature that allows the 
individual identification of all malicious code strings contained in the corresponding set 
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(see Kephart column 6 line 49 - column 7 line 28). It would have been obvious at the 
time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains to have grouped similar malicious code strings together to help 
reduce the amount of memory required to scan a given data string for the presence of 
computer viruses (see Kephart column 1 lines 56-65). Therefore one would have been 
motivated to have grouped similar malicious code strings together. 

Claims 13, 14, 19 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Hoefelmeyer et al (U.S. Patent 7,043,757) in view of Kilpatrick et al (U.S. 
6,735,703) in view of Kephart et al (U.S. Patent # 6,016,546) in further view of Lamburt 
et al (U.S. Patent # 6,374,241). Hoefelmeyer, Kilpatrick and Kephart teach everything 
with respect to claim 12 above but with respect to claim 13 they do not teach wherein 
the correlating comprises utilizing an edit-distance algorithm. Lamburt teaches wherein 
the correlating comprises utilizing an edit-distance algorithm (see Lamburt column 41 
lines 4-62). It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains to have used a edit- 
distance algorithm to how far apart two strings of data are. Therefore one would have 
been motivated to have grouped similar malicious code strings together using a edit- 
distance algorithm and group them based on a distance smaller than a given distance 
apart (see Lamburt column 41 lines 4-62). 

With respect to claim 14, wherein the sets have mutual edit distances smaller 
than a given threshold distance (see Lamburt column 41 lines 4-62). 
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With respect to claim 19, wherein the intrusion limitation subsystem comprises a 
response server comprising: a database for receiving extracted malicious code strings 
from the code extractor (see Hoefelmeyer column 6 lines 25-43); a correlate connected 
to the database for assembling sets of code strings having mutual edit distances less 
than a given threshold distance; a sequencer connected to the database for generating 
signatures, wherein a signature is generated for each set to facilitate identification of all 
malicious code strings contained in the corresponding set (see Lamburt column 41 lines 
4-62); and a distributor connected to the database for distributing signatures to 
connected systems (see Hoefelmeyer figure 2 and column 6 lines 25-43). 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
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the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Devin Almeida whose telephone number is 571-270- 
1018. The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 
5:00 P.M. The examiner can also be reached on alternate Fridays from 7:30 A.M. to 
4:00 P.M. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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Patent Examiner 
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